Why the Data Protection Bill Is Riddled With Problems

After months of deliberations that were cloaked in secrecy, the Justice Srikrishna Committee, on Friday, 27 July, finally submitted its report and a draft ‘Personal Data Protection Bill’ to the Ministry of Electronics and IT.

India – home to the second largest internet user population in the world – still does not have its own data protection law. With the draft legislation, it has finally taken a step towards proposing a comprehensive data protection and privacy framework. IT Minister Ravi Shankar Prasad will now review the draft and decide whether to introduce it in Parliament.

The Supreme Court’s judgment in August last year affirming privacy as a fundamental right was supposed to be the guiding principle for the 10-member committee.

The big question is, does the draft bill do enough to protect our fundamental right to privacy?

Everything That is Wrong With the Draft Bill

Data Ownership: Who owns our data held by private and government entities? This is a question we were hoping for a firm answer to in favour of us, the users. The draft bill, however, does not answer this crucial question.

Processing of personal data: The draft bill calls for seeking consent for personal data and explicit consent for sensitive personal data but provides exemptions for the government. It can process sensitive personal data without consent for “functions of the state” – a sweeping and broad term that could be prone to misuse.

Data Localisation: This provision raises two major concerns. First, a mandate to store a copy of every Indian citizen’s data within India raises questions about surveillance. Second, data localisation goes against the principle of an open internet based on interoperability of data.

Data Breach Notification: The draft bill says that if there has been a breach of someone’s personal data, the data processor or fiduciary responsible for this has to inform the Data Protection Authority. Unfortunately, whether or not the person whose data has been breached will be informed is left up to the Authority’s discretion – which means you may never be informed if your data has been leaked or stolen.

Aadhaar Act: The Committee’s report suggests certain changes to the Aadhaar Act 2016, but the draft bill doesn’t take any specific steps to address all the leaks and theft of Aadhaar data that has already taken place. The singular reference to Aadhaar numbers – not even the other data collected for Aadhaar – seems negligent, especially when viewed together with the government power to process personal data relating to welfare services and benefits.

RTI Act: The draft bill suggests an amendment to the RTI Act to impose a new test for when personal information can be revealed under an RTI request. The new test imposes a balancing act between harm and public interest – but the concept of harm is unclear and could allow more stonewalling of requests.

Why We Aren’t Surprised

To contextualise the draft bill we need to take a look at the committee that came up with it. Right from its inception on July 31, 2017, the committee has been plagued by three major concerns:

Civil Society Participation: The composition of the committee does not have adequate representation of civil society members. Eight of the ten members are either part of the government or have worked closely with the government on technology policy.

Weak Public Consultation: The committee did not make public the submissions it received to its white paper in November 2017 or make public its deliberations on the submissions. There was also no provision for counter-comments, which rendered the public consultation process incomplete.

Lack of Transparency: The committee has been cloaked in a veil of secrecy and its working has been opaque. A series of RTI queries seeking information about its meetings had been repeatedly rejected.